Closed Bug 1297142 Opened 9 years ago Closed 9 years ago

Assertion failure: callee_saved_value == get_register(r4), at js/src/jit/arm/Simulator-arm.cpp:4695 or Crash [@ js::gc::IsInsideNursery] with OOM

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
ARM
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1293311
Tracking Flags:
Tracking Status
firefox51 --- affected

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:])

Crash Data

The following testcase crashes on mozilla-central revision f97a056ae623 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu --enable-simulator=arm, run with --fuzzing-safe --thread-count=2 --ion-offthread-compile=off --ion-check-range-analysis): var lfLogBuffer = ` //corefuzz-dcd-selectmode 4 function testcase() { testcase(TypedObject.objectType, 2147483731); eval('function foo() { var arguments, arguments = 42;}'); } //corefuzz-dcd-endofdata const libdir = "x"; //corefuzz-dcd-endofdata //corefuzz-dcd-selectmode 2 function separator() {} testcase() `; lfLogBuffer = lfLogBuffer.split('\n'); var lfCodeBuffer = ""; while (true) { var line = lfLogBuffer.shift(); if (line == null) { break; } else if (line == "//corefuzz-dcd-endofdata") { loadFile(lfCodeBuffer); lfCodeBuffer = ""; } else if (line.indexOf("//corefuzz-dcd-selectmode ") === 0) { loadFile(line); } else { lfCodeBuffer += line + "\n"; } } if (lfCodeBuffer) loadFile(lfCodeBuffer); function loadFile(lfVarx) { if (lfVarx.indexOf("//corefuzz-dcd-selectmode ") === 0) { lfRunTypeId = parseInt(lfVarx.split(" ")[1]); } else { switch (lfRunTypeId) { case 2: oomTest(new Function(lfVarx)); case 4: oomTest(function() { let m = parseModule(lfVarx); }); evaluate(lfVarx); } } } Backtrace: received signal SIGSEGV, Segmentation fault. 0x0849d8ce in js::jit::Simulator::callInternal (this=0xf796d000, entry=0xf7be29c0 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345t\240\235", <incomplete sequence \345>) at js/src/jit/arm/Simulator-arm.cpp:4695 #0 0x0849d8ce in js::jit::Simulator::callInternal (this=0xf796d000, entry=0xf7be29c0 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345t\240\235", <incomplete sequence \345>) at js/src/jit/arm/Simulator-arm.cpp:4695 #1 0x0849da91 in js::jit::Simulator::call (this=<optimized out>, entry=0xf7be29c0 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345t\240\235", <incomplete sequence \345>, argument_count=<optimized out>) at js/src/jit/arm/Simulator-arm.cpp:4774 #2 0x082838cd in EnterIon (data=..., cx=0xf7953000) at js/src/jit/Ion.cpp:2829 #3 js::jit::IonCannon (cx=0xf7953000, state=...) at js/src/jit/Ion.cpp:2926 #4 0x086b36fa in Interpret (cx=0xf7953000, state=...) at js/src/vm/Interpreter.cpp:2912 #5 0x086b3a0e in js::RunScript (cx=0xf7953000, state=...) at js/src/vm/Interpreter.cpp:399 #6 0x086b3cc3 in js::InternalCallOrConstruct (cx=0xf7953000, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:471 #7 0x086b3efd in InternalCall (cx=cx@entry=0xf7953000, args=...) at js/src/vm/Interpreter.cpp:498 #8 0x086b408b in js::Call (cx=0xf7953000, fval=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:517 #9 0x084cc0db in JS_CallFunction (cx=0xf7953000, obj=..., fun=..., args=..., rval=...) at js/src/jsapi.cpp:2799 #10 0x08821114 in OOMTest (cx=0xf7953000, argc=1, vp=0xf40810b8) at js/src/builtin/TestingFunctions.cpp:1404 #11 0x086bb3fb in js::CallJSNative (cx=0xf7953000, native=0x8820e50 <OOMTest(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 [...] #39 main (argc=6, argv=0xffffcd84, envp=0xffffcda0) at js/src/shell/js.cpp:7603 eax 0x0 0 ebx 0x8bedff4 146726900 ecx 0xf7da4864 -136689564 edx 0x0 0 esi 0xf796d000 -141111296 edi 0xfffffffe -2 ebp 0xffffad38 4294946104 esp 0xffffacb0 4294945968 eip 0x849d8ce <js::jit::Simulator::callInternal(unsigned char*)+1422> => 0x849d8ce <js::jit::Simulator::callInternal(unsigned char*)+1422>: movl $0x0,0x0 0x849d8d8 <js::jit::Simulator::callInternal(unsigned char*)+1432>: ud2 I'm marking this s-s because I've seen a less reduced testcase crash with a GC signature. It could be a separate bug but until we have a fix for this one, it's hard to tell.
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
Setting needinfo? from :jolesen our ARM guru here, how should we move this forward?
Flags: needinfo?(jolesen)
The assertion would suggest that we're calling ARM code that doesn't preserve the callee-saved registers correctly, but of course it could also mean that everything has been messed up. Ben, could this be related to the recent 64-bit changes?
Flags: needinfo?(jolesen) → needinfo?(bbouvier)
I don't see any wasm on the stack or in the original script. This could be indeed related to regalloc changes causing this, but it seems strange. Can we have a (manual) regression range here, please?
Flags: needinfo?(bbouvier)
Flags: needinfo?(gary)
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/772713cbce54 user: Jan de Mooij date: Sat Jun 11 15:01:49 2016 +0200 summary: Bug 1272598 part 5 - Allocate arguments objects from Ion JIT code. r=luke Jan, is bug 1272598 a likely regressor? (Also, this seems to be an intermittent issue)
Blocks: 1272598
Flags: needinfo?(gary) → needinfo?(jdemooij)
I can reproduce this at an older revision, but not when I apply the patch for bug 1293311.
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(jdemooij)
Resolution: --- → DUPLICATE
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.